DEEPSEC: Windows Pwn 7 OEM – Owned Every Mobile?

Windows Pwn 7 OEM – Owned Every Mobile?

Windows Phone 7 is new to the market and has thus not been as widely tested as Android and iOS alternatives. This talk seeks to give an overview of the platform and some security issues.

< Full slides from the Bluehat version of this presentation are available here >

< What follows are notes from the presentation incase they differ from the previously presented information >

Windows Phone OS 7

Same base OS across all OEM phones. However OEMs are permitted to make changes and give them the ability to customise the systems.

Windows Phone 7 is meant to be a closed platform. Changes to the underlying OS aren’t meant to be made by the user, and thus are undocumented.

Custom Windows CE 6/7

Arm v7 processor

32bit platform

Application Model

No native code for 3rd party developers

Third party apps are C# Silverlight/XNA Framework .NET CLR

Applications require to be signed

No side loading

Marketplace validation

Security features

Chamber based security model

Dynamic Capabilities (LPC Chamber)

WPManifest.xml

ID_CAP_CAMERA

ID_CAP_INTEROPSERVICES

ID_CAP_….

Code Signing (LPC)

In ROM binaries implicitly trusted

Any further binaries require signing

Exception is developer unlocked devices

Policy files contain a hash of the signing certificate. If validates this grants the application LV_ACCESS_EXECUTE

Loader Verifier Module (LVMOD)

Kernel Based Module (TCB)

Authentication and Authorisation

Policy Framework

Code Signing

accountdb.vol

Controls all authentication and authorisation on the device.

Policy Framework

XML based

Module Policy XML Combined

Centralised policydb.vol database

TCB Protected

Exploit Mitigation

ASLR (Address Space Layout Randomization)

XN (Execute Never)

WP7 Exploit Development

Crash dumps don’t provide much information (128k of data). It’s also not easy to access the dump files as they’re stored in a location not accessible from within the sandbox. By abusing the ID_CAP_INTERSERVICES it’s possible to use OEM device drivers to access the underlying filesystem.

As WP7 implements ASLR and NX, a vulnerability is required to gain code execution inside the least privilege sandbox. A further exploit is needed to gain full permissions and access to the really interesting data.

Other platform OEM Vulnerabilities

By examining bugs in other platforms that were introduced by OEMs it can be seen the OEMs elevated privileges to phones has caused bugs in the past.

Links

Disclaimer

The contents of this personal blog are solely my own opinions and comments, as such they do not reflect the opinions of my employer(s) past, present or future. No legal liability is accepted for anything you do, think, or consider fact as the basis of articles and links posted on this blog.

"Three to one...two...one...probability factor of one to one...we have normality, I repeat we have normality. Anything you still can’t cope with is therefore your own problem."

Note: A large portion of content I post on my blog comes from "live blogging" of security conferences. These posts are in notes form and are written live during a talk. As such errors and emissions are expected. I'm only human after all!